Posted
by
samzenpuson Wednesday June 19, 2013 @07:13PM
from the bug-hunt dept.

Trailrunner7 writes "After years of saying that the company didn't need a bug bounty program, Microsoft is starting one. The company today will announce the start of a new program that will pay security researchers up to $100,000 for serious vulnerabilities and as much as $50,000 for new defensive techniques that help protect against those flaws. Microsoft security officials say that the program has been a long time in development, and the factor that made this the right time to launch is the recent rise of vulnerability brokers. Up until quite recently, most of the researchers who found bugs in Microsoft products reported them directly to the company. That's no longer the case. The system that Microsoft is kicking off on June 26 will pay researchers $100,000 for a new exploit technique that is capable of bypassing the latest existing mitigations in the newest version of Windows."

However there are some things that will make this nearly impossible to claim even if you manage to find something.

It needs to be new, which means something they didn't know about.However, they don't need to tell anyone when they learn about something new, which opens a perfect hole for them to say "Oh that one, we knew about that one" even if they didn't.

The line "a new exploit technique that is capable of bypassing the latest existing mitigations in the newest version of Windows" is also important. Because if gives them another way out of paying for it. "Oh you are using Windows 8 with security patch 8.12.235321, but we are about to release security patch 8.12.235322 which has already fixed that - so you weren't on the latest version."

These are old tricks, which I have seen used by companies for other things where there is supposedly a reward.

Better late than never. Microsoft exploits have been traded and sold to security companies owned by intelligence agencies for years now. At least now the researchers discovering the bugs have an incentive to sell to microsoft and get the bug fixed instead of selling it to the highest bidder who will probably use it to create either "private"-malware or government-malware.
Thank you m$

There could be an influx of bug reports, I guess all those zero days waiting in the wings for a buyer, they might be cashed in, which is the whole point of this program, so the question is why did it take 15 years to arrive?

Dear Microsoft,
I have found a terrible bug in windows 8. I don't know how it got through testing, but the start button and its menu is missing. It isn't actually letting adversaries *in* to the system but it is letting an awful lot of users *out* of the system. So I'm hopeful that you can stretch the definition of "security bugs" to cover "financial security of Microsoft bugs" and get a check headed my way.

Can't get people to buy your latest piece of software?
Simply offering a generous bug bounty may be enough to convince technologists to buy and use your software.
While the cost of the program is likely greater than the related sales, said technologists will become accustomed to your new software and push it on to their families, their friends, their neighbours, their customers and their workplaces. Genius marketing is genius.

As a former validation and verification engineer/manager I find it to be obscene that these big institutions get work performed in V&V for next to nothing (and poorly at that). My team, at a large semiconductor company, comprised of 10 engineers to perform pre-silicon and board-set validation, and subsequently verification. And we were an augment to the designers, and other "silicon" teams, that were doing their own V&V, and "BIOS/EFI" and OS groups doing there own.

My 10 years in silicon and board-set validation has all the validation requirements of SW (chips are coded in languages too even 'C' sometimes), and another dozen+ layers of validation and verification to deal with electrical characteristics, material sciences, environmental, mfg process, and more layers than I care to list. This not only involves test software but all to often test hardware that is used for the very first time (which also need